Sometimes it’s really hard to tell what’s important from all the noise. The recent Equifax breach is one of those moments that’s slipping by. It shouldn’t. This data leak is much more damaging than you think. Worse, if you’re reading this, you’re probably affected, too.
Yes, I mean you! Stop being a jerk with that woman and pay attention.
Look, I know this sounds weird. Evening news shouts out another big data breach. Ho hum. We get the same squeaking sound every week or two, shrieking about the latest breach that leaves millions of people exposed.
Linger on that image for a second.
Yahoo takes the prize for leaking around a billion people’s data (yeah, that’s the B-word), and then leaking another 500 million right after that. “Yahoo! data breaches” is its own damn Wikipedia page! I mean, Jesus!
But stuff like the Yahoo breach, for all their lurid numbers, aren’t especially damaging. Yahoo, for example, mostly lost… Yahoo credentials. Change your password. If you’re one of the unlucky few who got their credit card leaked, get a new card number. And then you move on. Mildly annoying, but easy to fix.
The Equifax breach, though… whoa. That’s a different beast. We’re talking Social Security numbers, along with all the supporting stuff: date of birth, address, drivers’ license numbers, and more. That’s the worst stuff to lose, and Equifax lost most of its database: 143 million real people have been exposed.
How wide is that breach? Do the math. That’s more than half the people Equifax has credit records on, which translates to well more than half the families in the United States. If you have any credit record — almost every adult not living in a remote Oregon cabin — the odds are better than even that someone grabbed your data, too.
How deep is the breach? They have your SSN, and the other fiddling stuff (DOB, address, etc.) they’d need to really pull off a scam. So yeah, very deep.
Your SSN is the key to everything except your soul, and even that’s a toss-up. In many financial ways, you are your SSN. The banks track you with it, your work uses it as their unique ID for you, and all your credit information is stored under your SSN. It’s the biggest bit of data about you. By comparison to that, your name hardly matters.
Let me throw in some personal experience. I’ve had someone who tries to steal my identity, on and off, for decades. They’ve used my name, home address, phone number, email, cell number, work address, work phone, all that. They used my data to scam small businesses and doctors’ offices, mostly, but some bigger stores, too. I’ve had late-night calls ranging from angry shopkeepers to misguided lawyers. (Late-night dunning is illegal.)
And I didn’t really care. Well, no, that’s not right. I felt bad for the businesses. I did what I could to work with each one. To a point. But their distress wasn’t my problem. And, except for changing a stolen swipe card every couple of years, I didn’t have to do anything about it.
Why was I so blasé? The ID-theft jerks didn’t have my SSN. Sure, they were racking up bad credit by the metric ton under my name and address, but none of that was on my credit record. Nope. Not at TRW, Transunion, and… well, Equifax. (At least until now.) All your credit information is stored and retrieved by your SSN. Not your name; your SSN. The bad debt wasn’t tied to my SSN, so despite all the rest, I was fine.
And that sounds all nice and comfy right up until someone else does start waving around your real SSN. And like that, you’re hosed, big-time.
This is a great example of bad planning. The feds started assigning SSNs with the idea they’d be yours all your life. There was never a provision to change them. Why would you? It was only supposed to be used for tracking your Social Security taxes and benefits — a single government program — not everything and the DMV. There are actually laws saying you can’t use someone’s SSN for an ID number..
(Yeah, that sure didn’t work out, did it? Having a government-issued, unique ID that worked across the nation was just too handy. Everyone and their doctor glommed onto it. Hell, even the states used SSNs for people’s drivers license numbers.)
These days, SSNs are like passwords, in that they’re secrets only you and the government are supposed to know. But SSNs are not like passwords, because they can’t be easily changed. I mean, sure, you can change your SSN these days, although it’s still not exactly easy. The problem is everyone else: all your credit history is stored under your SSN; your medical history; your work history; all your government taxes and benefits outside of the Social Security program, too. If someone starts trashing your reputation using your now-not-private SSN, it’s hard to move away from it without losing big swaths of who you are.
Just think about your credit reputation. Start over with a new, blank SSN? Really? Are you prepared to be denied loans and credit cards for the next few years?
This has been an IT security issue for decades. I was lamenting this same problem when I was a fledgling security dork, back when we banged the rocks together for warmth. The only reassuring part was that it had gotten so bad, and so obviously intractable, we all figured it would only be a few years before someone got around to fixing it.
Ah… well.
So pay attention to this one. There should be consequences. Equifax knew about the breach five weeks ago, but didn’t tell anyone. Several key executives were allowed to cashed out gobs of their Equifax stock before the announcement. (Equifax swears that those executives — including the CFO — didn’t know about the breach. Right.)
So, this is one of those corporate moments where lots and lots of people have been harmed. The Equifax breach is still new. We won’t know the full extent of that harm right away, but could be huge.
Pay attention. There may be a test later. At least, for most of us.
